Those numbers are the count of the email messages we received from that portion of the campaign that pretended to be related to LinkedIn. In the graphic above, you can see that the "From" address is on "live.com" and the "Reply-To" is on "linkedin.com". Actually neither one of those things were true.

Here are the actual mail headers (although I've redacted a couple things from this one):

In this image, the "fake" values are highlighted in green while the "real" values are highlighted in yellow. This email did NOT come from LinkedIn's IP 63.211.90.176. It really came from 173.200.78.57. (Many hundreds of IPs were used.)

We actually saw this same style of mail-header faking beginning last November, especially during a rampant USAA Phishing campaign where the destination websites were all on '.tk' domains. Although I didn't focus on that aspect in the story (instead we found the REAL sender IP addresses and wrote about those) it was partly because at the time I didn't understand how it was possible!

All of the spam messages listed above, whether they are the "New Car" version or the "Is that Your Boyfriend?" or even the "Hello!" versions have a common website location being advertised. They use random numbers in the hostname portion of the website address, but the all point to:

arcid_[RND#].oposumcruiser.com/arc/file/

That website looks like this:

UPDATE!!

I've received an update from my friend Steven Burn who runs the websites of Ur I.T. Mate Group. He pointed out to me that even if you don't download the .exe file from this page, you are still at risk just by visiting the site. There is an IFRAME hidden in the source code of the page that directs all visitors to load the Blackhole Exploit Kit from another location. As of this writing that other location is:

http://motorssmonito.com/forum.php?tp=778973f6b2977050

(Visit at your own risk - it WILL try to infect you! )

The excellent folks at UCSB's Wepawet project provide this decoding of the page:

which shows all the little tricks it tries to use to infect you, including loading malicious .jar files, .pdf files, .avi files,

/End Update - Thank you, Mr. Burn!

One of the characteristics of the "Avalanche" botnet that we believed was associated with the USAA phish back in November was that the destination website is "Fast Flux" hosted -- meaning that the IP address is being constantly changed by modifying the nameserver to resolve the domain name to many different locations.

The first time I looked at this website, it was resolving to the IP address 112.71.69.76 in Japan. But when I asked the nameserver for its location, it gave back eight different IP addresses:

Only a few minutes later when I rechecked, I found the additional IP addresses:

83.213.31.24290.168.201.12695.125.232.109212.225.173.8

all resolving the "oposumcruiser.com" random hostnames.

One of the many projects we have at the UAB Computer Forensics Research Lab is a Fast Flux tracker. Some of the other domains that are currently fluxing on this same space include perfectcheck2011.com, safeyourwork.net, personalsyscheck.com and safetylife2011.org which use the nameservers ns1.lonfd.net and ns1.cazonet.com. Most of those are autoforwarders for pharmaceutical websites such as sportsmedsrxpills.net which purports to be the "Canadian Health & Care Mall".

The fake website offers a download for you as an executable file "archive.exe"

According to the AV products on the VirusTotal website, this is either the Zbot trojan (commonly known as Zeus) or Kazy.

www.realgirlfights.org CNAME realgirlfights.orglrnsxmztnqiomiq.com A 72.249.171.121wqonlrwkuswjzmm.net A 72.249.171.121lmnqnxypfulhgxo.biz A 72.249.171.121kmxpiylvojgjcus.biz A 72.249.171.121

That IP is Colo4Dallas LP (AS36024) in Dallas, Texas.

Steven Burn provided the following list of related domains, as well as the path which hosts their respective badness. Again, please don't follow these links unless you are a malware researcher in a safe environment.